What are the risks of using 22seven?

22seven-lockI am now onto week three of testing out the 22seven app and it is already starting to have an impact on our household finances.  On Sunday evening, the day before payday, rather than watching TV, my husband and I were both updating our 22seven budgets.

It was an empowering and revealing exercise and I am going to write more about how we have tailored the app to meet our household financial needs (my son now wants to download it for his bank account), but based on feedback from readers, this week I want to deal with the big security question: is 22seven.com safe?

There are two very valid concerns when it comes to signing up with 22seven: firstly you have to provide your online banking password and PIN which could compromise your banking security; and secondly, the app is free – so how are they making their money? Do you and your valuable personal information become the product?

Banking security

22seven’s technology is powered by Yodlee, the world’s biggest financial services aggregator. Yodlee is the technology that accesses the data from the various financial services companies which it then collates and categorises into intelligible information. So 22seven is not actually the data collector – it is just the interface that makes it accessible and user-friendly, which means 22seven staff have no access to your banking credentials.

Yodlee provides the same technology to 950 organisations globally, including 12 of the 20 largest banks in the US, and collects data from 27 million accounts.  It is a large company ‒ last year it was bought by financial services software company Envestnet for $950 million (R13bn), so they have the financial means to keep the technology cutting edge.

 In order to download the smart money management app 22seven.com and receive a R25 airtime voucher to cover the data costs, click here. You need to create your profile and provide login details for all the accounts you want to link including your current account, clothing accounts, credit cards and investment accounts. Check out this video for more information.

After an initially bumpy start when 22seven first launched in February 2012, the banks are now comfortable with the security of Yodlee and are allowing access to customers’data ‒ to the extent that Nedbank and Investec are using Yodlee for their own financial aggregator products.

Twice a year, 22seven uses an external security company to test the system to see if there are any holes or ways for hackers to break through. This is the same process employed by the banks.

What gives me a bit of extra comfort is that my online banking password and PIN are no longer enough information to actually transact on my bank account as my bank requires one-time PINs (OTP) for any transactions to go through. So even if the layers of security at 22seven.com were ever breached, the most the person can do with the information is view my accounts.

But that still puts me at risk for identify theft. According to Kenny Inggs, co-founder and chief technical officer at 22seven.com, for this reason the company has added extra security to ensure that all personal identifiable information is encrypted so they have no way to tie into a real person with email, name or identity number, so there is no reason to even try access it for identity theft. But, just in case, the company has taken out insurance that covers their clients for any personal loss that they could experience if the system’s security was breached.

Are you the product?

So my information may be safe from hackers (as safe as one can be online) but is it safe from a marketing perspective? It would be a fairly profitable business to sell this information, even to their own parent company Old Mutual. In its privacy policy, 22seven.com states that the information cannot be provided to a third party – and that includes Old Mutual. If I decided to close my account, my profile is removed at Yodlee and all records are permanently removed from the 22seven database.

The reality is that 22seven is obliged under the Protection of Personal Information Act (POPI) to keep our information private and secure. There certainly would be legal and financial consequences for breaking this privacy.

How do they make money?

At this stage they are not charging for the service, so how are they going to make their money? And let’s be clear: it is really important it makes money in order to be sustainable.

At the moment Old Mutual is providing funding but the long-term plan is to use 22seven as an online investment channel. Already 22seven offers two low-cost investments, one of which is a tax-free savings account. The competitive edge is the low fees and the ease at which you can invest without going through a huge amount of red tape. Personally I haven’t opened an investment but a colleague who has, said it took a couple of minutes to open and set up the debit order.

At this stage I feel comfortable with both the banking and personal security. Given how much I have used the app in the last three weeks I would be comfortable to pay a reasonable monthly fee for the service.